How to Secure My Wireless Network

Posted by onJuly 22, 2019| Featured

With wireless networks everywhere from secret research facilities to coffee shops, learning how to secure your wireless network is critical. There isn’t a perfect Wi-Fi security strategy, as such, securing a network requires a combination of techniques that will need reevaluation over time. Below are five key elements of a security evaluation strategy.

How to Physically Secure My Wireless Network

When focusing on wireless security, the security of access points (APs) and Ethernet ports can be easy to overlook. For this reason, network owners should maintain the security of both physical and virtual ways to access your network.

One example of a commonly overlooked physical attack exploits physical access to wireless access points. It’s common practice for access points to have a reset button you can press to restore factory settings. This removes Wi-Fi security and allows anyone to connect. The potential for this functionality to be used against you can be minimized by keeping APs out of easy reach and looking into your AP vendor’s locking options. These techniques can help make it difficult for unauthorized people to press the buttons on an AP.

Ethernet ports are another thing to consider. Disabling ethernet
ports can minimize a hacker’s ability to access an organization’s Wi-Fi
network. For additional security, it’s possible to make it so that physical
ports are only accessible by certain users and/or devices.

How to Segment My Network

Another way to secure your wireless network is by isolating
different parts of your network from one another. Creating separate subnetworks
can help limit the spread of malware between devices on networks. Common
separate networks include those for guests and IoT devices. This is because guest
and IoT devices present particular vulnerabilities. A guest network can be
helpful in keeping guest users isolated from the portion of the network where business
data is accessible. An IoT device network can be helpful because they are often
less secure than their non IoT counterparts.

It’s also possible to take this even further by segmenting a
single network using VLANS to the point that each user has their own network.
Learn more about segmenting your network and how to implement it from our
article What
is Network Segmentation.

How
to Use WPA2 Enterprise with 802.1X Authentication

For effective segmentation of a network, devices need to
stay in their intended portion of the network. This is where WPA2 Enterprise with
802.1X Authentication can help.

Some APs may still use Wired Equivalent Privacy (WEP) but
this protocol is insecure to the point that hackers can potentially break into
a network using this protocol within minutes. Yet even with WPA protocols,
different versions of these protocols and techniques of applying them can further
influence the level of security.

The non-enterprise, WPA2 Personal version has a single
pre-shared password. This means that anyone who knows this one password can
access the network. The Wi-Fi Protected
Access 2 (WPA2) Enterprise version enables each user to authenticate
individually with separate usernames and passwords. This approach is inherently
more secure because a person must know both the password and the user it’s
associated with. If a person leaves the organization or a device is stolen, the
organization can either change or revoke that user’s credentials as opposed to changing
the password for everyone to ensure only current users know the password. The WPA2
Enterprise version also has the potential to give network owners a better idea
of where a breach originates with the integration of certain software.

To enable Enterprise mode, you need a RADIUS server. A
RADIUS server makes it possible for user authentication and connection to
services like Active Directory or LDAP that stores usernames and passwords.

How
to Secure the 802.1X Client Settings

Some hackers setup false wireless networks with an SSID
identical to the one of the network its imitating. This enables hackers of
networks that don’t use 802.1X client settings to steal user credentials.
Enabling server identification on the client side helps prevent this. It
ensures that the user’s device won’t transfer Wi-Fi login credentials to the RADIUS
server until the server is confirmed as a legit server. With 802.1X, it is also
possible to have mutual authentication between the client and the server using
certification so that both devices can receive certification that they are what
they claim.

How
to Detect Rogue APs

Enabling 802.1X client settings minimizes the chance of
hackers stealing credentials with false ways to access a network, but it’s best
to help ensure that unofficial APs are detected quickly to minimize the risk of
devices connecting to them. This is possible with rogue AP detection. Rogue APs
are unofficial ways to access the network. While sometimes used for legitimate
reasons like increasing the Wi-Fi signal, these can also be setup by hackers.
It is, therefore, important to regularly scan for rogue APs using software like
a Wi-Fi scanner, wireless intrusion detection system (WIDS) or intrusion
protection system (WIPS).

How Impulse Can Help

Impulse’s SafeConnect Network Access Control (NAC) can
provide users with a RADIUS server and a means to do things like implement
802.1X, segment your network, and limit access to physical APs. Learn more
about SafeConnect NAC on Impulse’s SafeConnect
Overview page.